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Abstract. A practical quantum key distribution (QKD) protocol nec- 
essarily runs in finite time and, hence, only a finite amount of communi- 
cation is exchanged. This is in contrast to most of the standard results on 
the security of QKD, which only hold in the limit where the number of 
transmitted signals approaches infinity. Here, we analyze the security of 
QKD under the realistic assumption that the amount of communication 
is finite. At the level of the general formalism, we present new results 
that help simplifying the actual implementation of QKD protocols: in 
particular, we show that symmetrization steps, which are required by 
certain security proofs (e.g., proofs based on de Finetti's representation 
theorem), can be omitted in practical implementations. Also, we demon- 
strate how two-way reconciliation protocols can be taken into account in 
the security analysis. At the level of numerical estimates, we present the 
bounds with finite resources for "device-independent security" against 
collective attacks. 



1 Introduction 

Quantum key distribution (QKD) is one of the most mature fields of 
quantum information science, both from the theoretical and the experi- 
mental point of view |l|2|3j . This does not mean, however, that the open 
questions are merely technical ones: in this paper, we are concerned with 
an issue that is in fact rather crucial for the assessment of security of real 
devices. 

Most unconditional security proofs of QKD have provided an asymp- 
totic bound for the secret key rate r, valid only in the limit of infinitely 
long keys |4|5|6|7|8] , This reads in general [9] 

r = S(X\E)-H{X\Y) , (1) 



where S(X\E) := S(XE)-S(E) and H(X\Y) := H(XY) - H(Y) are the 
conditional von Neumann and Shannon entropies, respectively, evaluated 



for the joint state of Alice and Bob's raw key and the system controlled 
by Eve (after the sifting step). 

In real experiments, obviously, finite resources are used. As a matter of 
fact, the need for finite key analysis was recognized several years ago [10J. 
In early security proofs though, the security parameter 

"Deviation from the ideal case" < s . (2) 

was defined in terms of "accessible information". This measure of devi- 
ation had two shortcomings, namely (i) it does not provide composable 
security, as proved in [11], and (ii) it has no operational interpretation. 
It turns out that both shortcomings are not problematic for asymptotic 
bound^l, but for finite-key analysis a different definition must be used. 
A correct definition was used for the first time in [13], but the authors 
considered only a restricted class of attacks. While partial, these and 
other studies |14|15|16] triggered the awareness that a large N would be 
required for a QKD experiment to produce a secure key. 

More recently, Hayashi used a valid definition (although the concern 
for composable security is not addressed explicitly) in his analysis of the 
BB84 protocol with decoy states [17] . Hayashi's bound has been applied 
to experimental data [18]. Apart from being possibly the first creation of 
a truly unconditional secure key, this experiment provides an instructive 
example of how critical finite key analysis is. Indeed, for the observed 
error rate Q ~ 5% and the choice e = 2 -9 , 4100 secret bits could be 
extracted from each raw key block of n ~ ^ = 10 5 bit: in other words, 
the final secret key rate was r « 2%, instead of the r « 43% predicted by 
the asymptotic bound. Security bounds for finite resources are definitely 
one of the most urgent tasks for practical QKD [3]. 

Recently we have shown that the theoretical tools developed by one 
of us [19] can be used to provide a compact approach to security proofs 
in the non-asymptotic limit |20j . Our formalism leads to a generalized 
version of the secret key rate that reads 

r = (n/N) [St(X\E) -A- leak EC /n] . (3) 

Comparing with ([I]), four modifications should be noticed: (i) only a frac- 
tion n of the signals contributes to the key, the rest must be used for 

1 The absence of an operational interpretation of £ is not a problem since any devia- 
tion is supposed to vanish for asymptotically long keys. Furthermore, the fact that 
asymptotic bounds can be "redeemed" for composability is a consequence of the re- 
sult of [12] saying that keys obtained by two-universal hashing provide composable 
security. 



parameter estimation; (ii) the parameter estimation has finite precision 
£; (in) the task of privacy amplification itself has a security parameter A; 
and (iv) the error correction protocol may not reach the Shannon limit, 
so leak EC > nH{X\Y). 

In this paper, we revisit our previous work and improve it by two 
important observations (Lemmas [T] and [2] below) , then we present a new 
example of explicit calculation (Section l4,2p . 

2 Basic definitions 

2.1 Definition of security 

In the existing literature on QKD, not only the analysis, but also the 
very definition of security is mostly limited to the asymptotic case; and 
we therefore need to revisit it here. Most generally, the security of a key 
K can be parametrized by its deviation e from a perfect key, which is 
defined as a uniformly distributed bit string whose value is completely 
independent of the adversary's knowledge. In an asymptotic scenario, a 
key K of length I is commonly said to be secure if this deviation e tends 
to zero as £ increases. In the non- asymptotic scenario studied here, how- 
ever, the deviation e is always finite. This makes it necessary to attribute 
an operational interpretation to the parameter e. Only then is it possible 
to choose a meaningful security threshold (i.e., an upper bound for e) 
reflecting the level of security we are aiming at. Another practically rele- 
vant requirement that we need to take into account is composability of the 
security definition. Composability guarantees that a key generated by a 
QKD protocol can safely be used for applications, e.g., as a one-time-pad 
for message encryption. Although this requirement is obviously crucial 
for practice, it is not met by most security definitions considered in the 
literature |llj . 

Our results are formulated in terms of a security definition that meets 
both requirements, i.e., it is composable and, in addition, the parameter 
e has an operational interpretation. The definition we use was proposed 
in |21)12j : for any e > 0, a key K is said to be e-secure with respect to an 
adversary E if the joint state pke satisfies 

■Apke-tk ® Pe^ < £ , (4) 

where tk is the completely mixed state on K. The parameter e can be 
seen as the maximum probability that K differs from a perfect key (i.e., 
a fully random bit string) [12]. Equivalently, e can be interpreted as the 



maximum failure probability, where failure means that "something went 
wrong", e.g., that an adversary might have gained some information on 
K. From this perspective, it is also easy to understand why the definition 
is composable. In fact, the failure probability of any cryptosystem that 
uses a perfect secret key only increases by (at most) e if we replace the 
perfect key by an e-secure key. In particular, because one-time pad en- 
cryption with a perfect key has failure probability (the ciphertext gives 
zero information about the message), it follows that one-time-pad encryp- 
tion based on an e-secure key remains perfectly confidential, except with 
probability at most e. 

2.2 Description of the Generic Protocol 

Although most practical quantum key distribution protocols are prepare- 
and-measure schemes, for analyzing their security it is often more con- 
venient to consider an entanglement-based formulation. In fact, such a 
formulation can be obtained by simply replacing all classical random- 
ness by quantum entanglement and postponing all measurements. In the 
following, we describe the general type of protocol our analysis applies 
to. 

1. Distribution of quantum information: Alice and Bob communicate 
over an (insecure) quantum channel to generate N identical and inde- 
pendent pairs of entangled particlesll The joint state of the N particle 
pairs together with the information that an adversary might have on 
them (e.g., acquired by eavesdropping) is denoted by p a n b n e n. 

2. Parameter estimation: Alice and Bob apply a LOCC-measuremenlH 
to m particle pairs selected at random (using the authentic commu- 
nication channel). We denote the resulting statistics by A m and the 
joint state of the remaining (not measured) particles and Eve's system 
by p A N-m B N- mE N . If the statistics A m fails to satisfy certain criteria, 
Alice and Bob abort the protocol. 

3. Measurement and advantage distillation: Alice and Bob apply block- 
wise measurements &A b B h on their remaining particles to get raw keys 
X n and Y n , respectively. More precisely, E A b B b is an arbitrary LOCC- 
measurement applied sequentially to blocks A b of b particles on Alice's 

2 We use the term particle here only for concreteness. More generally, they might be 
arbitrary subsystems. 

3 A LOCC-measurement is a measurement on a bipartite system that can be per- 
formed by local measurements on the subsystems combined with classical commu- 
nication. 



side and the corresponding particles B h on Bob's side. In a protocol 
without advantage distillation, E A b B b = £a <8> £b simply consists of 
local measurements on single particles, i.e., 6 = 1. However, £46^6 
might describe any operation that can be performed by Alice and Bob 
on a finite block of particle pairs. The resulting state is then given by 

p X nY n E N = (^A^B b ® ^E N )(Px bn Y bn E N )^ where n is the number of 
blocks, i.e., nb < N — m. 

4. Error correction: Alice and Bob exchange classical messages, summa- 
rized by C, which allow Bob to compute a guess X bn for Alice's string 

J^bn 

5. Privacy amplification: Alice and Bob generate the final key by ap- 
plying an appropriately chosen hash function to X bn and X bn , re- 
spectively. The requirement on the hash function is that it maps 
strings with sufficiently high min-entropy to uniform strings of a cer- 
tain length £ (such functions are sometimes called strong (quantum) 
extractors). A typical (and currently the only known) class of func- 
tions satisfying this requirement are two-universal hash functions (see 
Section 13.41 for examples of two- universal function families) . 



3 Security analysis 

3.1 Security against collective attacks 

An attack is said to be collective if the interaction of Eve with the quan- 
tum channel during the distribution step is i.i.d. This implies that the 
state after the distribution step is i.i.d., too, that is, p a n b n e n = cr ABE , 
where ctabe is the density operator describing a single particle pair to- 
gether with the corresponding ancilla E held by Eve. 

The following analysis is subdivided into four parts. Each part gives 
rise to separate errors, denoted by £pe, e, £ec> and £pa, respectively. 
These sum up to 

e = e PE + e + e E c + £pa , (5) 

where e is the security of the final key (cf. ((4|) for the definition of security). 
Making the individual contributions smaller comes at the cost of reducing 
other parameters that, eventually, result in a reduction of the size of the 
final key (see equations ©, ©, ([ID]) , and pi]) ). 

— Parameter estimation (minimize set of compatible states r and num- 
ber of sample points m vs. minimize failure probability £pe)- 



Parameter estimation allows Alice and Bob to determine properties of 
<jab ■ We express this by defining a set r EpE containing all states gab 
that are compatible with the outcomes of the parameter estimation. 
For concreteness, we assume here that Alice and Bob — depending on 
the statistics of their measurements — either continue with the exe- 
cution of the protocol or abort. The set r £pE is then defined as the 
set of states o~ab f° r which the protocol continues with probability 
at least £pe (i-e., the states from which a key will be extracted with 
non- negligible probability). The quantity £pe corresponds therefore 
to the probability that the parameter estimation passes although the 
raw key does not contain sufficient secret correlation. In particular, if 
Alice and Bob continue the protocol whenever they observe a statis- 
tics \rn 

using a POVM with d possible outcomes then (Lemma 3 of 

EDI) 



A PE C \o AB : ||A m -A 00 (^ B )|| < V 21n(1/£PE) ^ ln(m+1) ) (6) 

where \oo{o~ab) denotes the (perfect) statistics in the limit of infinitely 
many measurements. 

Calculation of the min-entropy (minimize decrease of min-entropy S 
vs. minimize error probability e). 

Under the assumption of collective attacks, the joint state of Alice and 
Bob's as well as the relevant part of Eve's system after the measure- 
ment and advantage distillation step is of the form p X n Y n E bn = o~ x ^ Eb 
where 

°XYE>> ■= (£a>>B>> ® '^E")^ABE) ( 7 ) 

This property allows to compute a lower bound on the smooth min- 
entropy of X n given Eve's overall information E (before error cor- 
rection) , which will play a crucial role in the analysis of the remaining 
part of the protocol. More precisely, the min-entropy can be expressed 
in terms of the von Neumann entropy S evaluated for the state a x E b : 

HUX n \E N )>n(S(X\E\ x ,-6) (8) 



where 5 := 7J l ^M. 

V n 

Error correction (information leakage leak vs. failure probability £~ec)- 
Error correction necessarily involves communication C between Alice 
and Bob. The maximum leakage of information to an adversary is 



expressed in terms of min- and max-entropies, 

leak := H (C) - H^C^Y* 1 ) . 

While Hq(C) corresponds to the total number of relevant bits ex- 
changed during error correction, we subtract H 00 (C\X n Y n ) which is 
the number of bits that are independent of the raw key pair (X n , Y n ). 
Note the formal resemblance of this expression to the mutual informa- 
tion I{C : X n Y n ). Indeed, the quantity leak counts the number of bits 
of C that are correlated to the raw key. In particular, any informa- 
tion that is independent of the raw key, such as the description of an 
error correcting code, does not contribute. Also, in a protocol where 
redundant messages are exchanged (this is for instance the case for 
two-way error correction schemes such as the Cascade protocol |22j). 
the quantity leak is generally much smaller than the total number of 
communicated bits. 

Typically, there is a trade-off between the leakage leak and the failure 
probability, i.e., the maximum probability that I / I (where the 
maximum is taken over all possible states in r epE ), which we denote 
by £ec- This trade-off depends strongly on the actual error correction 
scheme that is employed, but typically has the form 

leak £EC = fH (X\Y) + log 2 — (9) 

EEC 

where / is a constant larger than 1. In theory, there are error correction 
schemes with / arbitrarily close to 1, but the decoding is usually not 
feasible due to computational limitations. In practice, / ~ 1.05 — 1.2. 

— Privacy amplification (maximize final key length I vs. minimize failure 
probability Epa). 

To evaluate the final key size, we need to bound the decrease of min- 
entropy after the leakage of information that occurred in error correc- 
tion. It follows from Lemma [2] below that the smooth min-entropy of 
X n given Eve's information after error correction is bounded by 

Hl{X n \E N C) > Hl{X n \E N ) - leak £EC . (10) 

The security of the final key only depends on this quantity and the 
efficiency of the hash function used for privacy amplification. More 
precisely, if two-universal hashing is used then, for any fixed £pa > 0, 
the maximum length i of the final key is bounded by 

£< H s {X n \E N C)-2\og 2 — . (11) 
4 Two-universal hashing is the procedure normally used for privacy amplification. 



Combining (jSJ), (fTUj) and (fTTj) . we conclude that the final key is e- 
secure, for e = £pe + s + £ec + £pa as in ([5]), if 



£ < n 



mm 



S(X\E% 



5(e) — leak, 



21og 2 — (12) 



where &xE b 1S related to oab via ((Z]) applied to a purification of oab and 



3.2 Security analysis against general attacks 

A general method to turn a proof against collective attacks into a proof 
against the most general coherent attacks is to introduce additional sym- 
metries. Here we highlight two aspects that have been dealt with only 
partially in previous works. 

A Lemma on symmetrization. The following lemma states that the smooth 
min-entropy of the state before the symmetry operations have been ap- 
plied is lower bounded by the smooth min-entropy of the symmetrized 
state. 

Lemma 1. Let pxE be a cq-state and let {fn} be a family of functions 
on X . Then, for any e > and R chosen at random 



Proof. The statement is proved by sequentially applying rules of the 
smooth entropy calculus. 



The first equality holds because -ffoo(-R|i?) = (there is no certainty 
about R if R is known) , and the second is a consequence of the additivity 
of the min-entropy (Lemma 3.1.6 of [19]). The third equality is a simply 
consequence of the fact that the computation of the value /r(X) while 
keeping the input is a unitary operation, under which the min-entropy 
is invariant. Finally, the inequality holds because tracing out the clas- 
sical systems X and R can only decrease the smooth min-entropy (see 
Lemma 3.1.9 of |19j). 




H^(X\E) > HUf R (X)\ER) . 



H^X\E) = H^XIE) + H^RIR) 



= H^XRIER) 

= H^(f R (X)XR\ER) 

> H^(f R (X)\ER) . 



An important practical consequence of this Lemma is that the sym- 
metrization needs not be actually implemented. Indeed, the smooth min- 
entropy is basically the only quantity that is relevant for the security 
of the final key: then, the statement of the Lemma implies that, if the 
symmetrized version of the protocol is secure, the original version is also 
secure. 

Permutation symmetry. Lemma Q] above is valid for any symmetrization. 
Typically, one considers permutation symmetry. This can be achieved, 
for instance, by randomly permuting the positions of the bits [19] (more 
precisely, Alice and Bob both apply the same, randomly chosen, reorder- 
ing to their bitstring). The symmetric states can then be shown to have 
properties similar to those of i.i.d. states, e.g. via the quantum de Finetti 
theorem [23j . This in turn leads to a bound of the form ([8]) , with a different 
definition of the parameter 5 (cf. Theorem 6.5.1 in [19], referring to Table 

6.2 for the parameters; the corrections due to the de Finetti theorem are 
the terms that involve the quantities k and r). Thus, a lower bound for 
security using finite resources can be computed for any discrete- variable 
protocol. 

Such a bound turns out to be very pessimistic: this is the price to pay 
for its generalitjQ. When considering some specific protocols, there can 
be other, more efficient ways to obtain i.i.d. Specifically, for the BB84 [24] 
and the six-state protocol |25|26|27j . suitable symmetries can be imple- 
mented in the protocol itself by random but coordinated bit- and phase 
flips |28|29j . Security bounds against general attacks can be computed by 
considering i.i.d. states just because of these symmetries, thus by-passing 
the need for the de Finetti theorem. 

3.3 Decrease of the smooth min-entropy by information 
leakage 

An essential part of the technical security proof presented above is the 
following lemma, which provides a bound on the decrease of the min- 
entropy by information leakage in the error correction step. The statement 
shown here is a generalization of a corresponding statement in [19] , which 
has been restricted to one-way error correction. 



5 Also, it is an open question whether the existing de Finetti theorem provides tight 
estimates, or if the bounds can be improved. 



Lemma 2. The decrease of the smooth min-entropy by the leakage of 
information in the error correction step is given by 

H^XIEC) > HUX\E) - leak . 

Proof. 

HUX\EC) > H^(XC\E) - H (C) 

> H^XIE) + H^CIXE) - H (C) 

> H^XIE) + H^CIXYE) - H (C) 
= H^(X\E) + HMXY) - H (C) 

The first two inequalities are chain rules and the third is the strong sub- 
additivity for the smooth min-entropy. The last equality follows from the 
fact that E <-» (X, Y) <-> C is a Markov chain, because the communication 
C is computed by Alice and Bob. 

3.4 Two-universal hashing 

As explained above, privacy amplification is usually done by two-universal 
hashing. 

Definition 1. A set J 7 of functions f from X to Z is called two-universal 

if 

Prefix) = f(x')] < , 

for any distinct x, x' G X and f chosen at random from T according to 
the uniform distribution. 

To perform the privacy amplification step, the two parties simply have 
to choose at random a function / from a two-universal set T of functions 
that output strings of length £, where £ is chosen such that it satisfies (1121) . 
As shown below, there exist constructions of two-universal sets T of func- 
tions that are both easy to describe (the description length is equal to 
the input length) and that can be efficiently evaluated. 

Examples of two-universal function families have first been proposed 
by Carter and Wegman |30|31j . One of the constructions mapping n-bit 
strings to £-bit strings, for any I < n, only involves addition and multi- 
plication in the field GF(2 n ). It is defined as the family T = {/r}reGF(2™) 
of functions f r that, on input x, output the t least significant bits of r • x 
(where • denotes the multiplication in GF(2 n )), i.e., 

f r : GF(2 n ) — ► GF(2*) 
x i — > [r ■ x}i . 



4 Computing security bounds 



4.1 Summary of the previous section 

Let us re-phrase the results obtained above in a more operational way. 
An experiment is characterized by the following parameters: 

— The protocol, in particular d the number of outcomes of the measure- 
ments; 

— The number of exchanged quantum signals N; 

— The estimates of the channel parameters; 

— The performances of the error correction protocol, in particular £ec 
and / (recall that these are functions of the parameters) ; 

— The desired level of security s. 

We have found above the bound (fT2"j) for the extractable secret key length 
£, which is valid for collective attacks, and also for general attacks in the 
case of the BB84 and the six-state protocols. By setting r = -4, one gets 
the announced expression ([3]) for the secret key rate. 

The expression for r is thus a function of the parameters listed above 
and several others, namely: 

— n, b and m, subject to the constraint nb + m < N; 

— £pe, £ and £pa, subject to the constraint e = £pe + £ + £ec + £pa- 

The best value for r is therefore obtained by optimizing (|12p over the free 
parameter^, for a given experiment. 

In Ref. |20j, we have presented such an optimization for the BB84 
and the six-state protocols implemented with single photons, under the 
restriction that / is a constant and 6 = 1 (one-way error correction). Here, 
we present the computation of the security bound with finite resources 
for another protocol. 

4.2 An application: "device-independent security" against 
collective attacks 

In 1991, Ekert noticed that the security of QKD could be related to 
the violation of Bell's inequalities [32]. This remark provided him with 
the basic intuition, but it remained purely qualitative. Only recently, on 
a modified version of the Ekert protocol [33], it has been possible to 

6 Note that a parameter may be free a priori but be fixed in a given experiment. For 
instance, if in BB84 the choice of the basis is made passively through a 50-50 beam 
splitter, one has the additional constraint m = nb. 



provide a quantitative bound on Eve's information that depends only 
on the violation of a particular Bell- type inequality [34] . The remarkable 
property of this study is that this bound is "device-independent": the 
knowledge of (i) the dimension of the Hilbert space in which Alice's and 
Bob's signals are encoded and of (ii) the details of the measurements 
that are performed, is not required. The price to pay for such generality 
is that there is, as of today, no argument to conclude to unconditional 
securitjQ: the bound has been proved only for collective attacks. It is 
also worth stressing that, as long as the detection loophole remains open, 
device-independent security cannot be assessed on real setups |34|35] . 

Using our approach, we are going to obtain the non-asymptotic bound 
for device-independent security against collective attacks. We can use (fl~2l) 
directly. Two elements depend on the protocol and must be discussed: 

— The relation between n and m depends on the measurements specified 
by the protocol (here we set 6 = 1). The protocol specifies that Alice 
performs three measurements Aq, A\ and A2, while Bob performs 
two measurements B\ and B 2 ■ The key is extracted out of the events 
(Aq,Bi). Coherence in the channel is checked by the Clauser-Horne- 
Shimony-Holt (CHSH) inequality [36] using (A%, A 2 ; Bi, B2), i.e. from 
the quantity 

C = E(AxB x ) + E{A 1 B 2 ) + E(A 2 B 1 ) - E(A 2 B 2 ) (13) 

where E(A{Bj) = Prob(<2j = bj) — Prob(oj 7^ bj) is the correlation 
coefficient for bits. We suppose that Alice chooses Aq with probability 
p a o and the other settings with equal probability p a \ = p a2 = (1 — 
p a o)/2; and that Bob chooses B\ with probability phi and B 2 with 
probability 1 — p^\ . Therefore 

n = PaOPblN , my = -(1 - Pao)PbjN (14) 

and the other events are discarded. 

- In CED, only S^(X\E) = max aABEe r SpE S(X\E b ) axEb depends on the 
protocol, and this quantity contains only the imprecision of the pa- 
rameter estimation as a finite-key effect — indeed, the other three 

7 This is in particular true because one does not bound the dimension of the Hilbert 
space; so the available de Finetti theorem cannot be used. It is important to stress 
that the usual unconditional security bounds do rely on the assumption that the 
dimension of the Hilbert space is known — and this is actually more serious than 
just a technical assumption for the proofs: most protocols, like BB84 and six-state, 
become provably insecure if one cannot rely on the fact that a meaningful fraction 
of the measurements are done on two-qubit signals. 



modifications due to the finite resources, listed in Section 13.14 give 
rise to the other terms in (|12p that are independent of the protocol. 
Therefore, we only have to allow a deviation of the measured parame- 
ters by the quantity £(m, d) = y/ 21n ( 1 / £ PE)+ Q! in(m +i) ag c | e £ nec j j n q 
The asymptotic version [34j 

^™ = i- fc (i±«HI) (15) 

depends only on C given in f)13[) . Now, the deviation on the estimate of 
E(AiBj) is £(rriij, 2) because a correlation coefficient can be measured 
by a POVM with d = 2 outcomes ("equal bits" and "different bits"). 
The most unfavorable case being obviously the one when the true 
value of C is lower than the estimated one, we obtain 

^ = i- fc (l±^M^l) do) 

with £ = Eij=i 2)- 

Having described the quantities that depend on the protocol, we can run 
the optimization of r for any iV and for some chosen values of e, £eCj 
/ and the observed parameters (C and the error rate Q). The result is 
plotted in Fig. [U Similarly to what observed for BB84 and six-states [20J , 
no key can be extracted for N < 10 5 , and the asymptotic value is reached 
only for N > 10 15 . By monitoring the parameters of the optimization, one 
finds also that p a Q and tend to 1 in the limit N —* oo, as expected. 

5 Conclusion 

In this paper, we have built on our previous work on finite-key analysis 
|20j and completed it with some important remarks. Lemma [T] shows that 
the symmetrization of the data, although required to achieve security 
proofs, does not need to be done actively, because the min-entropy of 
the symmetrized data provides a bound for the min-entropy of the non- 
symmetrized ones. Lemma [2] extends our formalism to include two-way 
information reconciliation. After completing the general formalism with 
these Lemmas, we have applied it to derive a finite-key bound for device- 
independent security against collective attacks (Section l4.2j) . 

Acknowledgments. — This work is supported by the National Research 
Foundation and Ministry of Education, Singapore. 
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Fig. 1. Finite- key bound for device- independent security against collec- 
tive attacks: secret key rate r as a function of the number of exchanged 
quantum signals N, for two values of the observed error rate Q; we have 
assumed the relation C = 2\/2(l — 2Q), which implies C ~ 2.715 for 
Q = 2% and C « 2.546 for Q = 5%. We have fixed e = 10" 5 , e E c = 
and / = 1.2; we have supposed symmetric errors Prob(ao ^ b\) = Q, so 
that H (X\Y) in © is replaced by h(Q). 
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